----- Original Message ----- From: "Stanley Hopcroft" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 14, 2002 10:36 AM Subject: Re: Why DNS/IP in certificate?
> Deear Ladies and Gentlemen, > > I am writing to thank you for your comments about this matter and ask > > On Thu, Jan 10, 2002 at 09:34:50AM -0500, Neff Robert A wrote: > > > > The client needs to verify who it is connected to. > > Anyone in the world can present a certificate to > > establish an ssl connection. In a nutshell, the > > checks that need to be made on the client end are: > > a. Do you trust the signer of the certificate received > > b. Is the CN contained within the cert what you expect > > > > ..snip.. > > > Your next task is to ensure that the > > trusted cert truly came from the site you expected and > > not www.someothersite.com. The browser does this step by > > comparing the CN contained in the cert to the URL address > > typed into your browser. Your own app must do so as well... > > > > is it possible to have an OpenSSL server located behind a Network Adress > Transalation device (a NET device is sometimes part of firewalls, eg > the Cisco PIX) and still have the client handshake complete without > error ? > > Here is the scenario. > > Server has valid certificate signed by root CA for Distinguished Name > 'S'. > > DNS responds to an A record request from the client for S, with the > public interface of the NAT device (PTR query for that address also > returns S), but the OpenSSL server with that cert has a completely > different address (because its been translated) > > One might do this because of outsourcing or merger activities that > result in a new or different firewall. > > Presumably the network between the NAT box and the OpenSSL server is > secure enough to be tolerablee. > > So :- > > 1 Will the scenario above work ? > 2 If not, how can it be made to work ? > > Thank you, > > Yours sincerely. > > -- > ------------------------------------------------------------------------ > Stanley Hopcroft Network Specialist > ------------------------------------------------------------------------ > > '...No man is an island, entire of itself; every man is a piece of the > continent, a part of the main. If a clod be washed away by the sea, > Europe is the less, as well as if a promontory were, as well as if a > manor of thy friend's or of thine own were. Any man's death diminishes > me, because I am involved in mankind; and therefore never send to know > for whom the bell tolls; it tolls for thee...' > > from Meditation 17, J Donne. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
